NetBus - Backdoor For
Win 95/98 and Win NT

The "NetBus-Story" -
an introduction

NetBus is a "Trojan Horse"), which has a similar functionality
than "Back Orifice".
That means, it opens a "Backdoor" to a PC, so that everybody can acces
your PC from the network without your notice. NetBus is much more userfriendly
than Back Orifice. It was programmed by a Swedish guy called Carl-Fredrik
Neikter, who published the first version mid of March 1998. Up to today there
are several versions: Versionen 1.60, 1.70 and the latest one NetBus
2.01 Pro vor. All information at this page are valid for NetBus 1.60
and 1.70. Information about NetBus Pro can be found on an additional
page.

NetBus - how it works

NetBus consists of two parts: a client-program ("netbus.exe") and a server-program often named: "patch.exe" (or "SysEdit.exe" with version 1.5x), which is
the actual backdoor. Version 1.60 uses the TCP/UDP-Port # "12345" which can't be altered from version 1.70 and higher the port be configured.
Additional information you find in an original document of the author: Version 1.60 or Version
1.70.

NetBus - how to notice and how to fight

The NetBus Server) can be found in the system directory (also: "\win95" bzw. "\winnt") and is started simultaniously with windows. The name of the file differs: With NetBus 1.60 it is named "patch.exe", with "NetBus 1.5x" "SysEdit.exe" and if it is installed by a "game" called "whackamole" (file name is: "whackjob.zip" (contains the NetBus 1.53 server) it's name is "explore.exe". There is also a file called whackjob17.zip,
which installs the server of NetBus 1.70 and uses the port 12631. Aditionally it is password protected (PW: "ecoli"). The NetBus Server is installed by "game.exe" during the setup routine; the name of the server actaully is "explore.exe" located in the windows directory.
Normally all servers use the same icon: .
To start the server automatically, there is an entry in the registry at: "\HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run" normally used with the option "/nomsg". If this entry is deleted, the server won't be started with windows.

You also can delete the NetBus Server using the client programm selbst (which can be downloaded here). Click "Server Admin" - "Remove Server" To deinstall the server from your own PC enter the name "localhost" or the ip addresse 127.0.0.1.

NetBus: Legal Stuff, FAQ

Please have a look to this special page - and
please read this information, before contacting me via e-mail or ICQ.